South Staffordshire Water fined after hackers leak customer details on dark web
More than 633,000 customers and employees had personal data published on the dark web after a phishing email triggered the breach
Last updated 18 hours ago
A South Staffordshire water company has been fined almost £1 million following a cyber attack which left the details of over 600,000 people published on the dark web.
South Staffordshire Plc and South Staffordshire Water Plc has been fined £963,900 by the Information Commissioner's Office.
That's after 633,887 people had their personal information exposed for nearly two years.
What happened?
The company suffered a cyber attack back in September 2020, after an employee opened a phishing email attachment, allowing hackers to install malware on the company’s systems.
The attacker stayed inside the company’s network undetected for 20 months.
It was in May 2022 that the hacker gained full control of its IT systems.
The breach was only discovered after staff noticed IT problems in July 2022.
The hacker also attempted to deliver a ransom note to a member of staff.
Investigators found the hackers had stolen data and uploaded around 4.1 terabytes of information to the dark web, including the personal details of hundreds of thousands of customers and employees.
The information included things like names, addresses, account passwords, bank account numbers and the National Insurance numbers of some employees.
Failures by the company
The Information Commissioner's Office said the water company had poor security protections in place.
Only a small part of the company’s systems was being monitored, outdated software such as Windows Server 2003 was still in use, and some systems had not been updated or regularly checked for vulnerabilities.
Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, said: “Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."
South Staffordshire Water agreed to a voluntary settlement and admitted wrongdoing early on in the investigation.
The ICO say they applied a 40% reduction to the penalty because of this, taking the fine to £963,900.